ctipilot.ch — Healthcarehttps://ctipilot.ch/Items affecting healthcare providers, hospitals, public health, medical devices.enSun, 10 May 2026 19:33:31 +0000Groupe 3R (Réseau Radiologique Romand) — Akira ransomware claims 48 GB; 20 imaging centres across seven Swiss cantons, second attack in twelve monthshttps://ctipilot.ch/briefs/2026-05-10/groupe-3r-r-seau-radiologique-romand-akira-ransomware-claims-48-gb-20-imaging-ce/https://ctipilot.ch/briefs/2026-05-10/groupe-3r-r-seau-radiologique-romand-akira-ransomware-claims-48-gb-20-imaging-ce/Sun, 10 May 2026 19:33:31 +00002026-05-10T19:33:31+00:00ransomwareorganized-crimedata-breachswitzerlandAkira listed Groupe 3R on its dark-web leak site on approximately 2026-05-08, claiming an attack dated 2026-04-30 and threatening release of 48 GB including employee identity documents (passports, driving licences, national IDs), patient records (addresses, phone numbers, medical data), payment information, and signed NDAs (Groupe 3R victim statement, 2026-04-30 · ICTjournal.ch, 2026-05-06 · Blick.ch, 2026-05-07). Groupe 3R operates 20 medical-imaging centres across seven Romandie cantons (Vaud, Valais, Fribourg, Genève, Neuchâtel, Berne, and a further canton listed in the operator statement) — making this a direct Swiss critical-health-infrastructure incident. The operator confirmed the attack publicly via its own website on 2026-04-30, notified the Federal Office for Cybersecurity (BACS/OFCS), filed a criminal complaint, and explicitly stated it will not pay ransom. Legacy examination data remains inaccessible at the time of the public update; new examination data security has been restored on rebuilt infrastructure. Data-exfiltration was not confirmed by the victim; Akira's leak-site post asserts 48 GB exfiltrated. The operator's own statement notes this is its second cyberattack within twelve months and characterises the prior April 2025 incident as having involved different attackers and methodology.

]]>Akira listed Groupe 3R on its dark-web leak site on approximately 2026-05-08, claiming an attack dated 2026-04-30 and threatening release of 48 GB including employee identity documents (passports, driving licences, national IDs), patient records (addresses, phone numbers, medical data), payment information, and signed NDAs (Groupe 3R victim statement, 2026-04-30 · ICTjournal.ch, 2026-05-06 · Blick.ch, 2026-05-07). Groupe 3R operates 20 medical-imaging centres across seven Romandie cantons (Vaud, Valais, Fribourg, Genève, Neuchâtel, Berne, and a further canton listed in the operator statement) — making this a direct Swiss critical-health-infrastructure incident. The operator confirmed the attack publicly via its own website on 2026-04-30, notified the Federal Office for Cybersecurity (BACS/OFCS), filed a criminal complaint, and explicitly stated it will not pay ransom. Legacy examination data remains inaccessible at the time of the public update; new examination data security has been restored on rebuilt infrastructure. Data-exfiltration was not confirmed by the victim; Akira's leak-site post asserts 48 GB exfiltrated. The operator's own statement notes this is its second cyberattack within twelve months and characterises the prior April 2025 incident as having involved different attackers and methodology.

Akira's documented playbook against European healthcare and small-to-mid enterprise targets emphasises edge-device initial access (Cisco ASA / FTD CVEs, Fortinet SSL-VPN CVEs, VMware ESXi authenticated RCE) and intermittent file-encryption to evade EDR file-IO heuristics; ATT&CK techniques observed across recent Akira incidents include T1190 Exploit Public-Facing Application, T1133 External Remote Services, T1486 Data Encrypted for Impact, and T1567 Exfiltration Over Web Service.

Defender takeaway: Swiss and DACH healthcare operators with internet-exposed Cisco ASA/FTD, Fortinet SSL-VPN, or VMware ESXi management interfaces should validate that all 2025–2026 Akira-targeted CVEs are patched, that EDR rules trigger on intermittent-encryption file-IO patterns (write-then-skip-then-write of fixed-block ranges), and that radiology-modality VLANs are network-segmented from corporate AD; PACS/RIS environments tend to co-tenant with Windows file shares, providing trivial east-west reach once an attacker lands. Imaging operators that depend on a single ransomware-targeted partner should review business-continuity arrangements: this is the second 3R outage inside a year and referrers will already have continuity questions.

]]>Validate Akira-targeted edge-device CVE patch state in CH/EU healthcarehttps://ctipilot.ch/briefs/2026-05-10/validate-akira-targeted-edge-device-cve-patch-state-in-ch-eu-healthcare/https://ctipilot.ch/briefs/2026-05-10/validate-akira-targeted-edge-device-cve-patch-state-in-ch-eu-healthcare/Sun, 10 May 2026 19:33:31 +00002026-05-10T19:33:31+00:00ransomwareorganized-crimeswitzerlandeuropeSwiss and DACH healthcare operators (and any organisation operating PACS/RIS or radiology-modality networks) should re-validate patch state on Cisco ASA / FTD, Fortinet SSL-VPN, and VMware ESXi management interfaces, and confirm radiology-modality VLAN segmentation from corporate Active Directory. Confirm EDR rules trigger on intermittent file-encryption file-IO patterns. Review business-continuity contracts for ransomware-targeted single-supplier dependencies (the second 3R outage in twelve months will already have referrer-side continuity questions).

]]>Swiss and DACH healthcare operators (and any organisation operating PACS/RIS or radiology-modality networks) should re-validate patch state on Cisco ASA / FTD, Fortinet SSL-VPN, and VMware ESXi management interfaces, and confirm radiology-modality VLAN segmentation from corporate Active Directory. Confirm EDR rules trigger on intermittent file-encryption file-IO patterns. Review business-continuity contracts for ransomware-targeted single-supplier dependencies (the second 3R outage in twelve months will already have referrer-side continuity questions).

]]>Swiss and DACH Deployment Contexthttps://ctipilot.ch/briefs/2026-05-09/swiss-and-dach-deployment-context/https://ctipilot.ch/briefs/2026-05-09/swiss-and-dach-deployment-context/Sun, 10 May 2026 19:33:31 +00002026-05-10T19:33:31+00:00vulnerabilitiespre-authrceauth-bypasspatch-availablezero-clickswitzerlanddachSEPPmail is the market-leader for cryptographic email processing in the Swiss public sector. The primary driver is cantonal administrative requirements under the Federal Act on Data Protection (nFADP/DSG, effective 1 September 2023) and cantonal healthcare data legislation mandating encrypted transmission of personal health information. NCSC-CH advisory 12551 was published in response to this cluster; any Swiss federal body, cantonal administration, or healthcare provider running SEPPmail should treat this as a mandatory same-day response event. The Swiss Federal Chancellery's ICT security baseline for federal agencies (Sicherheitsstandard IKT des Bundes, ISBB) classifies email gateway compromise as a Level 3 incident requiring escalation to NCSC-CH within 24 hours.

]]>SEPPmail is the market-leader for cryptographic email processing in the Swiss public sector. The primary driver is cantonal administrative requirements under the Federal Act on Data Protection (nFADP/DSG, effective 1 September 2023) and cantonal healthcare data legislation mandating encrypted transmission of personal health information. NCSC-CH advisory 12551 was published in response to this cluster; any Swiss federal body, cantonal administration, or healthcare provider running SEPPmail should treat this as a mandatory same-day response event. The Swiss Federal Chancellery's ICT security baseline for federal agencies (Sicherheitsstandard IKT des Bundes, ISBB) classifies email gateway compromise as a Level 3 incident requiring escalation to NCSC-CH within 24 hours.

For DACH-region organisations: BSI IT-Grundschutz includes email encryption gateways in the APP.4.4 component scope; a known RCE cluster in such a gateway qualifies for an extraordinary IT-Grundschutz gap notification under ISMS procedures.

]]>